Re: [PATCH] net/llc: fix UBSAN array-index-out-of-bounds in llc_conn_state_process

Next message: Steven Rostedt: "[PATCH v2] tracing/probes: Allow use of BTF names to dereference pointers"
Previous message: Derek Barbosa: "Re: Stop false review statements"
Next in thread: Kartik Nair: "Re: [PATCH] net/llc: fix UBSAN array-index-out-of-bounds in llc_conn_state_process"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Krzysztof Kozlowski

Date: Sat May 16 2026 - 17:30:22 EST

On 15/05/2026 19:49, Kartik Nair wrote:
> When a timer fires while the socket is owned by a user, the timer event
> is deferred to the backlog via __sk_add_backlog(). By the time the
> backlog drains, llc->state may have been set to LLC_CONN_OUT_OF_SVC (0)
> by socket teardown. llc_conn_state_process() then calls llc_conn_service()
> which computes llc_offset_table[state - 1] = llc_offset_table[-1],
> triggering UBSAN array-index-out-of-bounds.
>
> llc_process_tmr_ev() already guards against LLC_CONN_OUT_OF_SVC for the
> direct path, but this guard is bypassed when sock_owned_by_user() is true
> and the event is queued to the backlog. By the time the backlog drains,
> teardown may have set state to 0.
>
> The direct path already handles this case, so the same check belongs
> in the consumer too.

Considering you sent similarly complex patches to MM, WiFi, accel and
now to NFC, I am sure you are using LLM without disclosing it.

Please explain with your own words what is the "direct path"?

Best regards,
Krzysztof